# Google Cloud Integration

{% hint style="success" %}
To integrate GCP you must first integrate Google Workspace
{% endhint %}

### Step 1 - Enable Required Google Cloud API <a href="#h_01hap257fw6xwsh0jyx70vvm8d" id="h_01hap257fw6xwsh0jyx70vvm8d"></a>

1. Log in to the Google Cloud console with **organization administrator** credentials.
2. Start Cloud Shell by clicking the CLI icon on the right side of the bar.↓
3. In the shell interface, enter the following script to enable required API access, in all of the projects that Rezonate should protect.

| <p>for project in  $(gcloud projects list --format="value(projectId)")</p><p>do</p><p>    echo "ProjectId:  $project"</p><p>    gcloud services enable cloudresourcemanager.googleapis.com --project=$project</p><p>    gcloud services enable recommender.googleapis.com --project=$project</p><p>    gcloud services enable cloudasset.googleapis.com --project=$project</p><p>    gcloud services enable policyanalyzer.googleapis.com --project=$project</p><p>done</p> |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

Enabling these API's allows us to enumerate resources, privileges, and other capabilities.&#x20;

**List of APIs and their usage**

| API Endpoint                        | Why Rezonate Requests This Endpoint                                                    |
| ----------------------------------- | -------------------------------------------------------------------------------------- |
| cloudresourcemanager.googleapis.com | This API allows reading of the organizational structure and objects in it.             |
| recommender.googleapis.com          | This API allows the reading of Google insights regarding your organization.            |
| cloudasset.googleapis.com           | This API allows the reading of resources within your projects.                         |
| policyanalyzer.googleapis.com       | This API allows the reading of policies throughout the whole organizational structure. |

&#x20;

### Step 2 - Grant Rezonate Access to Your Google Cloud Organization <a href="#h_01hap257fwprw4awr9krbht3mh" id="h_01hap257fwprw4awr9krbht3mh"></a>

1. Head over to the [IAM ](https://console.cloud.google.com/iam-admin/iam)page. Use the organization/project drop-down list to choose your **Organization**.

2. Click **Grant Access**.

3. In the New Principals box, enter the email address provided by Rezonate - **<rezonate@rezonapp.iam.gserviceaccount.com>**, to establish trust between the organizations.

4. In the Role boxes, grant the new service account the following read-only roles, at the **organization level**:&#x20;
   1. Browser
   2. Security Reviewer
   3. Viewer

5. Click **Save**.

6. On the same page, you should now be able to see that Rezonate’s service account was assigned with the roles you added. ![](https://rezonate.zendesk.com/hc/article_attachments/11076728898333)

7. Save and send your **organization ID** and the **project IDs** you wish Rezonate to protect. ![](https://rezonate.zendesk.com/hc/article_attachments/11076755943453)

8. Execute the following commands to retrieve your organization ID, and the list of all project IDs and filter the ones you want Rezonate to access:

| <p>    gcloud projects list --format="value(projectId)"</p><p>    gcloud organizations list --format="value(ID)"</p> |
| -------------------------------------------------------------------------------------------------------------------- |

<br>